Closed Bug 2033102 Opened 2 months ago Closed 7 days ago

Support allowed_permissions in ExtensionSettings enterprise policy

Categories

(Firefox :: Enterprise Policies, enhancement)

enhancement

Tracking

()

RESOLVED FIXED
154 Branch
Tracking Status
firefox153 --- fixed
firefox154 --- fixed

People

(Reporter: mkaply, Assigned: mkaply)

Details

Attachments

(2 files)

Follow-up to bug 1904061, which added blocked_permissions.

Chrome's ExtensionSettings policy also supports allowed_permissions, which
acts as an explicit override of blocked_permissions. Though not documented
at https://support.google.com/chrome/a/answer/9867568, it's present in the
Chromium source:

And in the (more recent) "Managing Extensions in Your Enterprise - 2025 update"
Google doc.

Manual verification: if blocked_permissions and allowed_permissions both
include the same entry, allowed_permissions wins.

Scope:

  • Add allowed_permissions to both "*" and per-id entries in
    browser/components/enterprisepolicies/schemas/policies-schema.json.
  • In EnterprisePoliciesParent.sys.mjs mayInstallAddon, apply
    allowed_permissions as an override before evaluating
    blocked_permissions.
  • In toolkit/components/extensions/parent/ext-permissions.js, same override
    in the permissions.request check.
  • In toolkit/mozapps/extensions/content/aboutaddons.js, don't lock the
    optional-permission toggle for permissions present in allowed_permissions.
  • Strip internal:-prefixed entries in setExtensionSettings (same as
    blocked_permissions).
  • xpcshell + mochitest-browser coverage mirroring bug 1904061's tests.

allowed_permissions un-blocks blocked_permissions with one consistent model on
both the install path (mayInstallAddon) and the optional-permission path
(permissions.request and the about:addons toggles): a per-id entry replaces ""
entirely, and a per-id allowed_permissions un-blocks its own
blocked_permissions. "
"-level allowed_permissions is inert. To un-block a
permission for an extension, list both blocked_permissions and
allowed_permissions in that extension's per-id entry.

The effective blocked list is resolved once in getExtensionSettings, which
mayInstallAddon and the optional-permission consumers all read.
allowed_permissions is sanitized with the same permission-name regex as
blocked_permissions.

Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Pushed by mozilla@kaply.com: https://github.com/mozilla-firefox/firefox/commit/e6c6006f1a87 https://hg.mozilla.org/integration/autoland/rev/9b7b66354e03 Add support for allowed_permissions ExtensionSettings policy. r=extension-reviewers,zombie
Status: ASSIGNED → RESOLVED
Closed: 7 days ago
Resolution: --- → FIXED
Target Milestone: --- → 154 Branch

firefox-beta Uplift Approval Request

  • User impact if declined/Reason for urgency: Policy related. Want for 153 ESR.
  • Code covered by automated testing?: yes
  • Fix verified in Nightly?: yes
  • Needs manual QE testing?: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: Policy only change
  • String changes made/needed?: None
  • Is Android affected?: no
Attachment #9603523 - Flags: approval-mozilla-beta?

allowed_permissions un-blocks blocked_permissions with one consistent model on
both the install path (mayInstallAddon) and the optional-permission path
(permissions.request and the about:addons toggles): a per-id entry replaces ""
entirely, and a per-id allowed_permissions un-blocks its own
blocked_permissions. "
"-level allowed_permissions is inert. To un-block a
permission for an extension, list both blocked_permissions and
allowed_permissions in that extension's per-id entry.

The effective blocked list is resolved once in getExtensionSettings, which
mayInstallAddon and the optional-permission consumers all read.

Original Revision: https://phabricator.services.mozilla.com/D307408

Attachment #9603523 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: